EP4209025A2 - Procédé et appareil de transfert de message de commande critique dans des réseaux - Google Patents

Procédé et appareil de transfert de message de commande critique dans des réseaux

Info

Publication number
EP4209025A2
EP4209025A2 EP21806445.9A EP21806445A EP4209025A2 EP 4209025 A2 EP4209025 A2 EP 4209025A2 EP 21806445 A EP21806445 A EP 21806445A EP 4209025 A2 EP4209025 A2 EP 4209025A2
Authority
EP
European Patent Office
Prior art keywords
network
communication device
information container
information
credential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21806445.9A
Other languages
German (de)
English (en)
Inventor
Zhixian Xiang
Marcus Wong
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of EP4209025A2 publication Critical patent/EP4209025A2/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery

Definitions

  • the present disclosure relates generally to wireless communications, and in particular embodiments, to techniques and mechanisms for critical control message transfer across networks.
  • the UE may use a visited network for communication.
  • the visited network may have a business relationship (e.g., a roaming agreement) with the home network and can provide local connectivity for the UE.
  • the visited network can be either public or private.
  • the home network can be either a public network or a private network.
  • the home network may guide the UE to select a visited network when the UE is out of the coverage of the home network.
  • the home network may provide a preferred network list preconfigured for the UE, such as a preferred roaming list of public networks, or a preferred network list of private networks.
  • the UE can use the preferred network list to select a visited network (e.g., one that is more reputable or less expensive in terms of roaming charges) that is preferred by the home network, before the UE registers or connects to the selected visited network.
  • the home network may provide a steering instruction to steer the UE to a more preferred network, while UE is registering or has connected to a visited network.
  • a method includes: receiving, by a communication device via a first visited network of the communication device, a message from a first home network of the communication device, the message comprising a first network information container and a credential indicator, the first network information container comprising information that is integrity protected and/ or cipher protected, and the credential indicator indicating a type of a credential used for protecting the first network information container; verifying, by the communication device, the first network information container using one or more security parameters based on the type of credential; and obtaining, by the communication device when the first network information container is successfully verified, the information comprised in the first network information container.
  • the message further comprises information indicating a type of protection mechanism applied to protect the first network information container.
  • the type of protection mechanism comprises integrity only protection, cipher only protection, or integrity and cipher protection.
  • verifying the first network information container comprises: verifying, by the communication device, integrity of the first network information container using the one or more security parameters; and/or decrypting, by the communication device, the first network information container using the one or more security parameters.
  • the one or more security parameters comprise one or more of following: a security parameter for verifying the first network information container, or accessing a network, the security parameter including a certificate, a public key or a privacy key, a key identifier, a synchronization or freshness quantity, a nonce, or a network security preference.
  • the method further comprises: executing, by the communication device, an instruction comprised in the first network information container when the first network information container is successfully verified.
  • the instruction instructs the communication device to connect to a second visited network; or instruct the communication device to conduct network selection to select a new visited network based on a list of candidate network provided by the first home network.
  • the method further comprises: accessing, by the communication device, the second visited network or the new visited network using the type of the credential indicated by the credential indicator and/or information in the first network information container.
  • the second visited network is a preferred network configured by the first home network for the communication device.
  • the method further comprises: sending, by the communication device, a second network information container to the first home network via the first visited network, the second network information container comprising information that is integrity protected and/or cipher protected.
  • the method further comprises: discarding, by the communication device, the first network information container when the first network information container is not successfully verified.
  • the type of the credential comprises a 3GPP credential or a non-3GPP credential.
  • the first network information container comprises least one of following: a network steering instruction; a network steering policy; a list of preferred visited networks for the communication device; a quality of service (QoS) requirement for a service or a visited network; configuration and/or capability information for the communication device; or a security parameter.
  • a network steering instruction e.g., a network steering instruction
  • a network steering policy e.g., a list of preferred visited networks for the communication device
  • QoS quality of service
  • the message further comprises the one or more security parameters.
  • the message further comprises operator information of the first home network.
  • the message is a Non-Access Stratum (NAS) message.
  • NAS Non-Access Stratum
  • the communication device has or does not have a universal integrated circuit card (UICC).
  • UICC universal integrated circuit card
  • the method further comprises: receiving, by the communication device, a third network information container, corresponding to a second home network of the communication device, and the first network information container corresponding to the first home network of the communication device.
  • the first home network and the second home network is a private network.
  • the first network information container comprises information for accessing a public network and information for accessing a private network.
  • the first home network is a public network or a private network.
  • the first visited network is a public network or a private network.
  • the message further comprises information of usage restriction according to which the first network information container is used.
  • the method further comprises: performing, by the communication device, authentication and authorization with the first home network via the first visited network before receiving the message.
  • a method includes: determining, by a network device of a first network, to send first information to a communication device, the first network being a home network of the communication device, and the communication device being served by a first visited network; generating, by the network device, a network information container comprising the first information, the network information container being integrity protected and/or cipher protected; determining, by the network device, a type of credential used to protect the network information container; and sending, by the network device, a message to the communication device via the first visited network, the message comprising the network information container and a credential indicator indicating the type of credential.
  • the network information container comprises at least one of following: a network steering instruction; a network steering policy; a list of preferred visited networks for the communication device; a quality of service (QoS) requirement for a service or a visited network; configuration and/or capability information for the communication device; or a security parameter.
  • a network steering instruction e.g., a network steering instruction
  • a network steering policy e.g., a list of preferred visited networks for the communication device
  • QoS quality of service
  • the network steering instruction instructs the communication device to connect to a second visited network; or instruct the communication device to conduct network selection to select a new visited network based on a list of candidate network provided by the home network.
  • the message further comprises one or more security parameters used for verifying the network information container.
  • the one or more security parameters comprise one or more of following: a security parameter for verifying the network information container, or accessing a network, the security parameter including a certificate, a public key or a privacy key, a key identifier, a synchronization or freshness quantity, a nonce, or a network security preference.
  • the message further comprises operator information of the home network.
  • the message is a Non-Access Stratum (NAS) message.
  • NAS Non-Access Stratum
  • the communication device has or does not have a universal integrated circuit card (UICC).
  • UICC universal integrated circuit card
  • the network information container comprises information for accessing a public network and information for accessing a private network.
  • the home network is a public network or a private network.
  • the first visited network is a public network or a private network.
  • the message further comprises information of usage restriction of the network information container.
  • the method further comprises: receiving, by the network device from the communication device via the first visited network, an information container comprising information that is integrity protected and/or cipher protected.
  • the message further comprises information indicating a type of protection mechanism applied to protect the network information container.
  • the type of protection mechanism comprises integrity only protection, cipher only protection, or integrity and cipher protection.
  • the type of credential comprises a 3GPP credential or a non-3GPP credential.
  • an apparatus includes: a non-transitory memory storage comprising instructions; and one or more processors in communication with the memory storage, wherein the instructions, when executed by the one or more processors, cause the apparatus to perform any one of the preceding aspects.
  • a non-transitory computer- readable media that stores computer instructions, which when executed by one or more processors of an apparatus of a first network, cause the apparatus to perform any one of the preceding aspects.
  • a system includes a network device of a first network and a communication device, the first network being a home network of the communication device, and the communication device being served by a visited network.
  • the network device is configured to perform: determining to send first information to the communication device; generating a network information container comprising the first information, the network information container being integrity protected and/or cipher protected; determining a type of credential used for protecting the network information container; and sending a message to the communication device via the visited network, the message comprising the network information container and a credential indicator indicating the type of credential.
  • the communication device is configured to perform: receiving, via the visited network, the message from the home network of the communication device; verifying the network information container using one or more security parameters based on the type of credential; and obtaining, when the network information container is successfully verified, the first information comprised in the network information container.
  • the above aspects of the present disclosure provide improved security for communicating information between a UE and its home network when the UE is out of coverage of the home network, and allows the UE to know what type of credential is used to protect the communicated information, based thereon the UE is able to verify the communicated information.
  • Figure t illustrates a diagram of an example scenario where a UE is out of its home network
  • Figure 2 illustrates a diagram of a communication network, highlighting transmission of a SoR container and 3GPP credentials according to an existing technique
  • Figure 3 shows the table 8.2.8.1.1 specified in 3GPP TS 24.501;
  • Figure 4 illustrates a diagram of an embodiment NAS message, highlighting communication of a private network information container
  • Figure 5 is a diagram illustrating embodiment operations between a UE, a home network of the UE and a visited network of the UE;
  • Figure 6 is a diagram illustrating embodiment operations between a UE, two home networks of the UE and a visited network of the UE;
  • Figure 7 is a diagram of an embodiment method for private network information container key and policy provisioning
  • Figure 8 is a flowchart illustrating an embodiment method for wireless communications
  • Figure 9 is a flowchart illustrating another embodiment method for wireless communications
  • Figure 10 is a flowchart illustrating another embodiment method for wireless communications
  • Figure 11 is a diagram illustrating an embodiment communication system
  • FIG 12A illustrates an example end device (ED);
  • Figure 12B illustrates an example base station
  • FIG. 13 is a block diagram of an embodiment computing system that may be used for implementing the devices and methods disclosed herein.
  • Corresponding numerals and symbols in the different figures generally refer to corresponding parts unless otherwise indicated.
  • the figures are drawn to clearly illustrate the relevant aspects of the embodiments and are not necessarily drawn to scale.
  • N3IWF Non-3GPP interworking Function
  • PLMN Public-Line-Mobile Network
  • a user equipment (UE) out of coverage of a home network of the UE may communicate with the home network via a visited network of the UE.
  • the information may be protected using third generation partnership project (3GPP) credentials and protection mechanisms, and transmitted.
  • 3GPP third generation partnership project
  • this scheme is not applicable to home networks that do not use or support the 3GPP credentials and protection mechanisms.
  • An example of a home network that does not use or support 3GPP credentials may include a private 3GPP network that is built for private, non-public use or for specific users.
  • Embodiments of the present disclosure provide methods for communication between a UE and a home network of the UE when the UE is out of coverage of the home network.
  • the embodiments support communication of information that is integrity protected and/or cipher protected between the home network and the UE via a visited network, and allows the UE to know whether a 3GPP credential and/or protection mechanism or a non-3GPP credential and/or protection mechanism is to be used so that the UE is able to select the corresponding protection mechanism and key to securely communicate information between the UE and the home network, and access visited networks as well.
  • the embodiments improve security of the communication when the UE is out of the coverage of the home network, and are applicable to public networks and private networks.
  • a network device of a network may generate a network information container including information to be sent to a communication device out of coverage of the network.
  • the network is a home network of the communication device, and the communication device is being served by a visited network.
  • the network information container may be integrity protected and/or cipher protected.
  • the network device may send, to the communication device via the visited network, a message including the network information container and a credential indicator indicating a type of credential used to protect the network information container.
  • the type of credential may be a 3GPP or non-3GPP credential.
  • the communication device may verify the network information container using one or more security parameters based on the type of credential, and obtain the information in the network information container when the verification succeeds, or discard the network information container when the verification fails. Further details are provided in the following.
  • a home network of a UE may be a network that the UE has a subscription with, e.g., a network that a user has subscribed for communication services.
  • the visited network may have a business relationship (e.g., a roaming agreement) with the home network and can provide local connectivity for the UE.
  • the visited network can be a public or private network.
  • the home network can be either a public or private network. (Note: Roaming is a specific term for public networks which include some regulatory requirements. The term of “roaming” is generally not used for private networks now.)
  • Figure 1 illustrates a diagram of an example scenario too where a UE is out of coverage of its home network.
  • a UE 105 is out of the coverage of its home network 110, and within the coverage of visited networks 120, 130.
  • each oval represents coverage of a corresponding network.
  • the UE may select the visited network 120 or 130 through which wireless communications of the UE is performed.
  • the home network 110 may guide the UE 105 to select a visited network when the UE is out of the coverage of the home network 110.
  • the home network 110 may provide a preferred network list preconfigured for the UE, such as a preferred roaming list of public networks, or a preferred network list of private networks.
  • the UE 105 can use the preferred network list to select a visited network (e.g., one that is more reputable or less expensive in terms of roaming charges), which is preferred by the home network 110, before the UE registers or connects to the selected visited network. For example, when the UE 105 is out of the coverage of the home network 110, the UE 105 may select the visited network 130 based on a preferred network list provided by the home network 110.
  • a visited network e.g., one that is more reputable or less expensive in terms of roaming charges
  • the home network 110 may provide a steering instruction to steer the UE 105 to a more preferred network, while UE is registering or has connected to a visited network.
  • the UE 105 connects to the visited network 120 when the UE is out of the coverage of the home network 110.
  • the UE 105 may receive a steering instruction from the home network 110 instructing the UE 105 to connect to the visited network 130, which may be preferred by the home network.
  • Using a preferred network benefits both a UE and a home network of the UE (e.g., lower roaming charges). Solutions have been presented to allow a service provider of the UE, who owns the subscription of the UE, to steer its UE to a more preferred network when the UE has registered with or connected to a less preferred network.
  • 3GPP has introduced a mechanism to allow a public home network, which uses 3GPP defined credentials and security mechanisms, to steer its UE to a preferred public visited network, called “Steering of roaming” (SoR), in which the public home network sends a steering instruction via a SoR container to the UE using the control plane of the public visited network.
  • SoR Steping of roaming
  • the SoR mechanism may not be suitable for a private home network when the private home network does not use the 3GPP credential and security mechanisms.
  • a private network may be a network built for private or non-public users or for specific users. For example, an enterprise network is a private network accessible only by users of an enterprise and not the general public.
  • Private networks built using the 5G specifications may use the same protocols, same procedures, and same messaging mechanisms as defined in 3GPP specifications, with the exception that such private networks may use non-3GPP credentials (e.g., certificates, public/private keys, etc.) for authentication.
  • 3GPP is examining solutions to allow a service provider of a private home network to steer its UE to another visited network, when the UE has registered or connected to a visited network.
  • a home network of a UE can provide both a preferred network list and one or more steering instructions to the UE in order to guide/steer the UE to a visited network that is more desired by the home network.
  • the two pieces of information i.e., the preferred network list and the one or more steering instructions, may be used by the UE in different phases of a connection.
  • the preferred network list may be used in a network selection phase of the UE, and the one or more steering instructions may be used when the UE is in a connected state.
  • a network may not be able to provide a preferred network list to a UE in all cases, e.g., when the network cannot anticipate where the UE will visit.
  • the UE When the UE is outside of the home network coverage, the UE needs to connect to a visited network.
  • the underlying assumption is that the visited network (even if the visited network is not preferred by the home network operator due to, for example, high roaming charges) is well-behaved (e.g., carrying signaling traffic all the way to the UE’s home network without modifying its content, not purposefully dropping signaling traffic even if the intent of the signaling is to redirect the UE to another network, etc.).
  • the home network should not have any concern that a currently connect visited network of the UE will modify information sent from the home network to the UE, e.g., a preferred network list, before forwarding the preferred network list to the UE.
  • a more prudent action to take by the home network may be to provide security protection to the preferred network list when the preferred network list is to be sent to the UE via the currently connect visited network. This will help secure the communication of the preferred network list, especially when the UE is accessing a visited network that is not on the preferred network list or when the visited network is not well-behaved.
  • the home network may not be able to provide an appropriate preferred network list to the UE in all cases while the UE is accessing the home network as discussed above. Therefore, there is a need to provide such a network preferred list in real time when the UE is accessing a visited network, e.g., for the very first time.
  • the home network may need to send the list to the UE via a visited network.
  • the steering information (steering instruction) is used to steer the UE from the currently connected visited network to a new visited network.
  • the steering information is one example of a control message.
  • security protection e.g., integrity protection and/ or ciphering protection
  • critical control information such as steering information or a preferred list of visited network determined by a home network of a UE, sent from the home network of the UE and forwarded by a visited network (e.g., a private network) to the UE, is protected end- to-end (E2E).
  • E2E protection of critical control information sent from the UE to the home network via the visited network is also desirable. It can not be guaranteed that the visited network (e.g., one that is not well-behaved or one that other users may have previously provided negative comments or rating) delivers the control information without potentially mis-using or manipulating the control information.
  • 3GPP standards define a dedicated container (e.g., a SoR container) to carry public network SoR instructions with integrity protection, such as with a key derived from the 3GPP credentials.
  • 3GPP credentials may include long-term keys and subscription identifiers used to uniquely identify UE subscriptions, which may used to mutually authenticate the UE and the 3GPP core network.
  • 3GPP credentials may also be used in deriving other security parameters. These 3GPP credentials may be shared between a UE (e.g., stored in the UE’s UICC if any, such as a SIM card) and a home network (e.g., stored in UDM) of the UE. Therefore, the SoR container is closely tied to the 3GPP credentials and the UICC in the UE.
  • a key (e.g., K ausf ) may be generated base on a primary authentication procedure between a UE and a public home network. The key is then used by the home network to integrity protect the SoR container, e.g., by calculating a message authentication code (i st code) of the SoR container using an integrity algorithm. The message authentication code may be appended to the SoR container and sent. The UE may use the same key to verify whether the SoR container has been modified during transmission.
  • i st code message authentication code
  • the UE may compute a message authentication code (2 nd code) based on the received SoR container, and verify the integrity of SoR container by comparing the 2 nd code with the received tst code. As the SoR container is only integrity-protected, it may still be visible to those that can receive the SoR container. However, any modification to the SoR container may be detectable. The integrity code (or the message authentication code) that is calculated when the SoR container is modified will not be the same as the code from the sender of the SoR container.
  • FIG. 2 illustrates a diagram of a communication network 200, highlighting transmission of a SoR container and 3GPP credentials according to an existing technique.
  • the network 200 includes a public home network 202 of a UE 222.
  • the UE 222 includes a UICC 224.
  • the public home network 202 includes a UDM 204 storing 3GPP credentials.
  • the public home network 202 may transmit, to the UE 222, a SoR container including a SoR instruction, together with the 3GPP credentials stored in the UDM 204, via a network function (NF) 306.
  • the UE 222 may store the received 3GPP credentials in the UICC 224.
  • the UE may derive a key based on the saved 3GPP credentials and verify the received SoR container.
  • Figure 3 shows the table 8.2.8.1.1 specified in 3GPP TS 24.501, version 16.5.1, Release 16 (2020-08), “5G; Non-Access- Stratum (NAS) protocol for 5G System (5GS); Stage 3”, which is hereby incorporated by reference.
  • Figure 3 shows a SOR transparent container in the table 8.2.8.1.1.
  • non-3GPP credentials are used for authentication and access to the standalone private networks.
  • These private networks may use non-3GPP credentials and protection mechanisms, different than the 3GPP credentials and protection mechanisms.
  • a private network may use a public/private key scheme to protect information (container) transmitted.
  • a UE may use a public key of a home network to protect a container and only the home network with a private key can recover or verify the container.
  • Non-3GPP credentials can take on several forms, such as deriving a key based on a non-3GPP credential and using the key to integrity/privacy protect a container, using a private key (of a non-3GPP credential) directly to integrity/ privacy protect the container by the network while the UE uses the public key of the network to validate the container, and so on.
  • the current SoR mechanism is not suitable for private networks that do not use or support 3GPP credentials for authentication and subsequent protection of containers.
  • a UE may not have a UICC storing 3GPP or non-3GPP credentials.
  • the existing technique described above e.g., in Figure 2 may not be suitable for use.
  • a UE when a UE has subscriptions to both a public network and a private network (i.e., the UE has two home networks), these two networks may use different security or key mechanisms. There needs to be coordination between the UE and the home networks to select the right mechanism and right key to securely convey a steering instruction and other information between the UE and the home networks.
  • Embodiments of the present disclosure provide a mechanism for communicating information between a UE and a home network of the UE via a visited network of the UE.
  • the embodiments improve security of the communication, and allow to hide the information from the visited network and to prevent the visited network from blocking the communication between the UE and its home network (as the visited network may be the network that the UE’s home network is requesting the UE to steer away from).
  • the embodiments are applicable to public networks and private networks.
  • a new private network information container may be established to convey information, such as a mobility instruction, that needs security protection, between a home network of a UE and the UE, via a visited network of the UE (i.e., the UE is out of coverage of the home network).
  • the term “private network information container” used herein in the present disclosure is merely for differing from the conventional SoR container, and should not be limited to situations where only private networks are involved.
  • the private network information container is a dedicated private network information container used to exchange critical information between the UE and its home private network, both of which may not implement the credentials and security mechanisms defined by 3GPP.
  • the private network information container may be transmitted in a NAS message, or any other applicable message.
  • the contents of the private network information container may be protected with security parameters derived from non-3GPP credentials (e.g., certificate, public or private key, etc.) according to a protection mechanism.
  • the security parameters may be established, determined, or derived through a primary authentication procedure (as per specification of 3GPP TS 33.501, version 15.4.0, Release 15 (2019-05), every UE accessing a public network or a private network needs to undergo the primary authentication procedure), or dedicated key creation procedures after an authentication procedure.
  • a dedicate key creation procedure may be performed, e.g., when a key used previously has expired. In this case, keys may be refreshed without running another primary authentication procedure.
  • the authentication procedure may be the primary authentication or a secondary authentication following a primary authentication, for example, according to 3GPP TS 33.501.
  • An embodiment mechanism may be established to allow the UE and the home network to exchange an indication to indicate which security mechanism and container will be allowed (conventionally there is a container already defined for communicating a preferred public network list) for the home network to convey the mobility instructions, when the UE is able to support multiple security mechanisms or has different subscriptions.
  • the embodiments do not have impact on UEs that do not support the embodiment mechanism.
  • the term of “private network information container” and “container” are used interchangeably.
  • Figure 4 illustrates an embodiment NAS message 400, highlighting communication of a private network information container according to an embodiment of the present disclosure.
  • the NAS message 400 may be communicated between a UE and a home network of the UE, via a visited network of the UE out of coverage of the home network.
  • the NAS message 400 may be sent by the UE or by the home network.
  • the NAS message 400 may be any existing or future NAS message that is configurable to carry a network information container. Examples of the NAS message 400 may include update or attach messages, authentication messages, service requests, and so on.
  • the NAS message 400 includes a credential indication 402, a security parameter 404 (including one or more parameters), a private network information container 406 and home operator information 408.
  • the credential indication 402 indicates a type of credential to be used with the private network information container 406, e.g., a 3GPP credential, or a non-3GPP credential.
  • the credential indication 402 may indicate whether a key used to integrity protect the private network information container 406 is based on a 3GPP credential or based on a non-3GPP credential.
  • the key may be obtained through the authentication procedure between a UE and its home network, or may be derived based on a credential of the home network.
  • the credential indication 402 indicates a type of credential used to protect the container.
  • the credential indication 402 may indicate which type of credential (e.g., 3GPP or non-3GPP) is to be used by a UE to access a visited network, e.g., authenticating the visited network.
  • the credential indication 402 may further indicate a type of protection (e.g., a security mechanism) applied to the private network information container 406.
  • the type of protection may be 3GPP or non-3GPP integrity only, 3GPP or non-3GPP cipher only, or 3GPP or non-3GPP integrity and cipher.
  • the cipher protection herein is also referred to as privacy protection, where information is encrypted based on an encryption algorithm agreed by both sender and receiver using one or more security parameters, e.g., a cipher key, by a sender, and a receiver of the information may decrypt the cipher protected information using one or more security parameters, e.g., a cipher key.
  • the cipher key may be a public key or a private key.
  • security parameters used for ciphering/encryption of information/message may include, as an example, a key and a synchronization quantity, and may also include other parameters such as a cell ID, a frequency a cell is using, and/or a transmission direction of the message (i.e., uplink or downlink), and so on.
  • the type of protection may be indicated together with the credential indication 402 or separately from the credential indication 402.
  • the credential indication 402 may be a flag (or indicator) indicating what type of credential and/or security mechanism is to be used.
  • the flag is set to (or indicates) 3GPP (e.g., using one bit “o”), it means that a 3GPP credential and security mechanism (e.g., integrity protection) is used for the private network information container 406.
  • a 3GPP credential and security mechanism e.g., integrity protection
  • non-3GPP e.g., using one bit “1”
  • the credential indication 402 maybe one bit indicating whether a 3GPP or non-3GPP credential is used
  • the NAS message 400 includes a protection indicator, which may be two bits, to indicate the type of protection applied to the container.
  • the security parameter 404 may be used to verify the private network information container 406.
  • the private network information container 406 may be integrity protected and/ or cipher protected.
  • a UE receiving the private network information container 406 may verify (validate or authenticate) the integrity and privacy of the private network information container 406 using the security parameter 404 (which may also be based on the type of protection indicated).
  • the security parameter 404 may include one or more of following information: one or more parameters, such as a certificate, a public key, and/or a private key, etc., which may be used for verifying the private network information container 406, or for accessing/connecting a visited network (e.g., authenticating the visited network); a key identifier.
  • the key identifier may identify a key or a key- pair (e.g., public/private key pair) to be used, e.g., for verifying the container 406 (e.g., calculating a message) or for accessing/connecting a visited network; a synchronization or freshness quantity (e.g. a counter or sequence number that is monotonically incremented, a counter for cryptographic synchronization).
  • a synchronization or freshness quantity helps ensure that protection of the container cannot be replayed in the future; an indicator indicating which protection algorithm (which integrity protection algorithm or which cipher protection algorithm) is to be used; a nonce.
  • a nonce is similar to the synchronization or freshness quantity but can be generated randomly.
  • One purpose of providing a nonce is to prevent replay of protected information; or a network security preference (e.g., network security policy related information). For example, this may include a security preference/policy of a network to be accessed.
  • the credential indication 402 and the security parameter 404 may be provided by a sender of the private network information container 406, such as a UE or a home network of a UE.
  • the private network information container 406 in the embodiments may be used to convey information between a UE and a home network of the UE, which requires E2E integrity and/or privacy protection.
  • Information contained in the private network information container 406 may be used by a UE to select, connect and/or access a visited network, or may be used by the home network of the UE to configure one or more visited networks, e.g., preferred visited networks, for the UE.
  • the private network information container 406 may include one or more of following information: a network steering instruction. This may be transmitted from a home network to a UE. a network steering policy. This may be transmitted from a home network to a UE.
  • An example of the network steering policy may include an order of preferences of multiple visited networks that are available for a UE to steer to, a network geographic location limitation, and so on.
  • the preferences may be determined based on a security protection requirement. For example, a first preference may be that both cipher and integrity protections are required, a second preference may be that the cipher protection is required, and a third preference may be that the integrity protection is required.
  • a visited network requires cipher protection while the UE does not support, the UE may not select the visited network.
  • a list of preferred visited networks for a UE This may be transmitted from a home network to the UE.
  • a home network of the UE may determine/configure the list of preferred visited networks for the UE to select one to steer to.
  • a quality of service (QoS) requirement for a service e.g., a current service
  • a visited network a target visited network
  • This may be transmitted from a UE to a home network of the UE.
  • the QoS may be a requirement that is required by a service provided to the UE, or that must be met by a visited network. As an example, when a UE determines that a currently visited network does not meet the QoS, the UE may determine to connect to another visited network, even if the currently visited network may have satisfied other network steering policy.
  • Which visited network that the UE is to select and connect to may be a decision made based on one or more factors, such as: a steering policy (such as the network steering policy), a security policy (e.g., a security protection type, required by the home network or supported by the UE), a QoS requirement (e.g., of the UE and/or a service), UE capability (e.g., whether the UE supports a type of protection, or a RF capability), and so on. Based on these requirements, the UE can be configured to select a network that is most suitably preferred by the home network. It is possible that none of the available visited networks meets all of the requirements of the UE and the home network configuration and capability information for a UE.
  • a steering policy such as the network steering policy
  • a security policy e.g., a security protection type, required by the home network or supported by the UE
  • QoS requirement e.g., of the UE and/or a service
  • UE capability e
  • the configuration information of the UE may include a radio frequency (RF) related parameter, such as a frequency band supported by the network or the UE.
  • RF radio frequency
  • the capability information of the UE may include UE security capabilities, e.g., a capability of supporting a type of protection or a protection algorithm. UE capabilities may sometimes be re sent back to the UE by the home network, informing the UE that the UE capability information has been received by the home network and is not modified by anyone trying to listen to the communications between the UE and the home network.
  • the private network information container 406 may be used to convey information, e.g., mobility information or non-mobility information, between a home network of a UE and the UE, where the information needs E2E integrity and/or privacy protection.
  • the UE may verify the private network information container 406 using a key (e.g., generated during a primary authentication procedure with the home network) that is sent by the home network or that is derived by the UE based on the type of credential indicated by the credential indication 402, and possibly using other information, such as information carried in the security parameter 404, depending on what protection mechanism is used.
  • An advantage of using the NAS messages to carry the private network information container 406 is that a UE would not incur any roaming charges before a user plane session has been established. UEs are generally charged for the amount of user plane data transferred over a user plane protocol data unit (PDU) session, but not incurring any charges for control plane data or signaling.
  • PDU user plane protocol data unit
  • the home operator information 408 may include information about an operator (or service provider) of a home network of a UE, e.g., an identifier of the operator. Based on the home operator information 408, a UE determines a correspondence between the private network information container 406 and the home network of the UE.
  • a private network information container may include both a protected part and an unprotected part.
  • the protected part may include the information described above, and the unprotected part may include security parameters, such as the security parameter 404.
  • the private network information container may also include the security parameters.
  • the private network information container may be communicated in the control plane between the UE and the home network, as well as the control plane between the home network and the visited network.
  • the private network information container may be carried in a NAS message between the UE and the visited network after the home network provides the private network information container to the visited network via a control plane interface between these two networks.
  • the private network information container may be protected (can be either integrity or privacy protection or both) based on a non-3GPP credential, after a UE is authenticated and authorized by a home network of the UE. That is, the home network supports non-3GPP credentials.
  • the conventional mechanism for public home networks assumes that a currently visited network of a UE is trustable and a network information container is only integrity-protected by a home network.
  • the currently visited network may be able to examine or even modify the contents of the container, such as steering instructions that instruct the UE to go to another network, and the currently visited network still delivers the container to the UE.
  • the UE may determine that the contents of the container is examined or modified by the current visited network, and may discard the container.
  • the container may be integrity protected and cipher protected according to the embodiments of the present disclosure.
  • Protecting the container based on non-3GPP credentials may take on several forms, such as deriving a key that is used to integrity or privacy protect the container, using a private key directly to integrity or privacy protect the container by a network and a UE uses a public key of the network to validate/verify the container, etc.
  • a UE or a home network of the UE sends a private network information container, it may protect the private network information container with credentials used during the UE’s primary authentication with the home network.
  • a public key of a public/ private key pair credential may be directly used to protect the container, or a key may be derived/generated based on the credential and used to protect the container.
  • a set of security parameters may be sent along with private network information container, so that the receiver of the private network information container (e.g., the UE or the home network) may be able to determine a protection scheme used to protect the private network information container and derive the necessary information (e.g., a key derived based on the primary authentication, such as Kausf) to perform integrity check and/or decryption of the private network information container if the private network information container is additionally encrypted.
  • a NAS message e.g., the NAS message 400
  • the NAS message may also include home operator information to differentiate the containers for different home networks.
  • the NAS message may include information of an operator 1 corresponding to the public home network of the UE, and information of an operator 2 corresponding to the private home network of the UE.
  • Each of the public home network and the private home network corresponds to one of the two network information containers in the NAS message. This information about the operators can be communicated inside or outside the private network information container in the NAS message.
  • one embodiment may also include an indication, e.g., the indication 402 as described with respect to Figure 4, which is sent with a network information container in the same control plane message to indicate whether the network information container is protected by a 3GPP or a non-3GPP key.
  • the indication may indicate a type of credential, which may include a 3GPP or a non-3GPP credential.
  • This indication may also be used in a case where there is a predefined container (e.g., a SoR container as defined in TS 24.501), which may be configured to include information of both public and private networks.
  • the container may include a list of preferred public networks and a list of preferred private networks that the UE can visit when out of the coverage of its home network.
  • this indication may also indicate a security mechanism used for protecting this container.
  • the private network information container and relevant network functionalities that use the private network information container may require additional security considerations.
  • an authorization policy or indication may be provided regarding one or more usage restrictions for the private network information container and for those network functionalities that use the private network information container.
  • usage restrictions may include a location of the UE or a visited network where the container may be used, allowed visited network operators and visited networks in which the container or the related functionalities can be used, a valid time period during which the container is used, and so on.
  • the authorization policy and indication can be provisioned to the UE during the UE’s home network authentication and authorization procedure, or the UE’s Policy update procedure, for example.
  • the embodiments are access technology agnostic and can be applied to both new radio (NR) and long term evolution (LTE) networks, or any other access technologies being considered in 3GPP, such as WiFi.
  • NR new radio
  • LTE long term evolution
  • Current logic in 3GPP standard is that the private networks using the 3GPP defined standards will follow the 3GPP convention of using AS and/or NAS messages as appropriate.
  • the private network information container may be extended to become a common critical information container to support both private and public networks.
  • the existing SoR container may be configured to convey information of both private and public networks.
  • the indication as discussed herein may be used for this common container to facilitate the different needs from private networks and public networks.
  • a UE has a private home network and a public home network, each of which may generate a common network information container for sending information to the UE.
  • the public home network does not need to generate a public network information container separately to send information
  • the private home network does not need to generate a private network information container separately to send information.
  • public home networks and private home networks may use the same common network information container (e.g., same structure, same fields, and so on) to securely communicate information.
  • the example embodiments of the present disclosure can support different UE and network deployment scenarios as shown in Table 1 and Table 2 below.
  • the home network of a UE may be a public network or a private network.
  • the visited network may also be a public network or a private network.
  • Table 1 shows a case where the UE has a UICC, and the embodiments of the present application can support and be applied to the scenarios where the home network is private and the visited network is private or public.
  • Table 2 shows a case where the UE does not have a UICC, and the embodiments of the present application can support and be applied to the scenarios where the home network is public or private and the visited network is private or public.
  • FIG. 5 is a diagram illustrating embodiment operations 500 between a UE, a home network of the UE and a visited network of the UE, highlighting communication of a protected private network information container.
  • a UE 512 may be out of the coverage of its home network 514, and may enter into the coverage of a network 516.
  • the UE 512 may select the network 516 as its visited network and connect to the network 516.
  • the UE 512 may perform primary authentication and authorization with its home network 514 via the network 516 (step 522).
  • the home network 514 may be a private network that does not support 3GPP credentials.
  • the network 516 may be private or public.
  • the home network 514 may generate one or more parameters, e.g., a key, based on a non-3GPP credential, and send to the UE 512 via the visited network 516.
  • the one or more parameters may be used to protect information communicated between the UE 512 and the home network 514.
  • the home network 514 may generate a private network information container including the information, and protect the private network information using the key (and other parameters) and a security mechanism, such as applying integrity protection and/or cipher protection to the private network information container.
  • the home network 514 may then transmit a protected private network information container 532 to the UE 512 via the visited network 516 of the UE 512 (e.g., via a network function 518 of the visited network 516) (steps 524, 526).
  • the home network 514 may transmit a NAS message, e.g., the NAS message as illustrated in Figure 4, to carry the protected private network information container 532.
  • the protected private network information container 532 may include a steer instruction instructing the UE 512 to connect to a new visited network, or to perform network re-selection.
  • the protected private network information container 532 may also include a credential to be used by the UE 512 to access the new visited network (e.g., authenticating with the new visited network).
  • the UE 512 may execute the steer instruction to connect to the new visited network, and perform authentication with the new visited network (e.g., using the credential).
  • the UE 512 may then perform wireless communication through the new visited network, in which case, communication between the UE 512 and the home network 514 will be through the new visited network.
  • An embodiment network information container that is integrity/cipher protected may be used for communicating critical information between the UE 512 and the home network 514 via the new visited network.
  • the network information container may be protected using the same parameters generated during the primary authentication and authorization in step 522.
  • the UE 512 may generate a protected network information container 532 including the information, and send the protected private network information container to the home network 514 via the visited network 516, e.g., via a NAS message.
  • the NAS message may also include security parameters of the UE, such as a UE security capability.
  • the information sent by the UE 512 to the home network 514 may include a request of the UE 512 requesting to be steered to another visited network. This may be the case when a visited network of the UE does not meet a security requirement/QoS requirement of the UE and the UE wishes to be connected to another visited network. For example, if the visited network’s security setting is such that cipher protection, integrity protection or both are turned off for all subsequent communications in the visited network, the UE may request the home network for another preferred visited network.
  • the information sent by the UE 512 to the home network 514 may also include a requirement of a target visited network, and/or a QoS requirement of a service of the UE.
  • Other information may also be sent by the UE using a protected network information container, e.g., a report about a visited network. For example, when a visited network is misbehaving (e.g., requesting the UE for repeated re-authentication with the visited network), the UE wishes to report such situation back to the home network.
  • the protected container in this case can hide such information from the visited network.
  • Figure 6 is a diagram illustrating embodiment operations 6oo between a UE, two home networks of the UE and a visited network of the UE, highlighting communication of respective protected private network information containers corresponding to the two home networks.
  • a UE 612 has subscriptions with two networks 614 and 616 (dual subscriptions), i.e., the UE 612 has two home networks.
  • the home network 614 may be a private network that does not support the 3GPP credentials and the home network 616 may a public network supporting the 3GPP credentials.
  • the UE 612 may be out of the coverage of both of its home networks 614 and 616, and connect to the network 618 as its visited network.
  • both the home networks 614 and 616 instruct the UE 612 to connect to the same visited network 618, or the UE 612 selects the same visited network 618 based on requirements (e.g., steering policies, security policies, QoS requirements, and so on) of both the home networks 614 and 616.
  • the UE 612 may perform primary authentication and authorization with the home network 614 via the network 618 (steps 622, 624).
  • the UE 612 may also perform authentication with the network 618, e.g., after the primary authentication and authorization with the home network 614, based on the credential of the home network 614, e.g., using keys derived from non-3GPP credentials (step 624).
  • the UE 612 may perform primary authentication and authorization with the home network 616 via the network 618 (steps 626, 624).
  • the UE 612 may also perform authentication with the network 618, e.g., after the primary authentication and authorization with the home network 616, based on the credential of the home network 616, e.g., using keys derived from 3GPP credentials (step 624).
  • the UE 612 may authenticate and authorize with its respective home networks via the respective visited networks, and may authenticate with its respective visited networks using credentials of the respective home networks.
  • the UE 612 and the home network 614 may exchange a private network information container 642 via the visited network 618 (steps 628, 630).
  • the private network information container 642 corresponds to the home network 614.
  • the UE 612 and the home network 616 may also exchange a public network information container 644 via the visited network 618 (steps 630, 632).
  • the public network information container 644 may be protected and corresponds to the home network 616.
  • the private network information container 642 and the public network information container 644 may be integrity and/ or cipher protected, and may be sent in a NAS message as discussed with respect to Figure 4.
  • the home network 614 may transmit a non-3GPP flag to the UE 612 to indicate that a non-3GPP credential is to be used by the UE.
  • a key used to verify the protected private network information container 642 or to authenticate/authorize a visited network of the UE 612 may be derived based on the non-3GPP credential.
  • the home network 616 may transmit a 3GPP flag to the UE 612 to indicate that a 3GPP credential is to be used by the UE.
  • a key used to verify the protected public network information container 644 or to authenticate/authorize a visited network of the UE 612 is derived based on the 3GPP credential.
  • FIG 7 is a diagram of an embodiment method 700 for private network information container key and policy provisioning.
  • a UE 702 out of the coverage of its private home network 3 selects a visited private network 1 (may also be referred to as network 1, or visited network 1 in the following description), and successfully conducts primary authentication and authorization with its private home network 3 via the visited private network 1 (Step 1732).
  • a visited private network 1 may also be referred to as network 1, or visited network 1 in the following description
  • This may be performed through interactions between the visited private network 1 (e.g., via a (radio) access network ((R)AN) 704 of the network 1, an access and mobility management function (AMF) 706 of the network 1, a UDM 708 of the network 1, and/or an authentication server function (AUSF) 710 of the network 1), and the home network 3 (e.g., via an AUSF 712 of the home network 3).
  • the primary authentication and authorization is between the UE 702 and its home network 3.
  • the home network 3 may generate security parameters that may be used to protect information communicated between the home network 3 and the UE 702, and/or may be used for authentication between the UE 702 and the visited network 1.
  • the home network 3 may inform the visited network 1 that the UE 702 is authenticated and authorized.
  • the visited network 1 may then determine whether to allow the UE 702 to continue to access the visited network 1, or it may request the UE 702 to perform a secondary authentication with the visited network 1. In this example of Figure 7, the visited network 1 does not request the UE 702 to perform the secondary authentication.
  • the home network 3 may provide, e.g., via the AUSF 710 of the network 1 and the AUSF 712 of the home network 3, the UE 702 with a key created based on a non-3GPP credential (to protect a container), new security parameters to be used for a private network information container, as well as a policy (restriction policy) for using the private network information container, e.g., specifying whether to allow the UE 702 to use the private network information container when the UE 702 is connected to a visited private network 2 (step 2734).
  • the forgoing information provided by the home network 3 may be generated by the home network 3 during the primary authentication and authorization with the UE 702.
  • the new security parameters and policy may not need to be provided to the UE 702 for every authentication and authorization procedure, as the information may be stored in memory of the UE 702 for long term use.
  • the step 2734 can occur during an authorization phase, or a policy update procedure, or other procedure which allows the home network 3 to update a configuration and policy of the UE 702.
  • the UE 702 may store the key, the security parameters and the policy for use with future private network information containers (step 3736).
  • the key may be used for sending or receiving a private network information container.
  • the key and the security parameter may be used to verify a private network information container sent by the home network 3 to the UE 702 via the visited network 1.
  • the key may be a public key sent by the home network 3.
  • the public key may then be used to verify the private network information container, e.g., as shown in a step 5740 of Figure 7.
  • the home network 3 may not send the key to the UE in step 2734.
  • the UE 702 may derive the key based on the credential indicated in step 4738 of Figure 7, and verify the private network information container using the derived key.
  • the home network 3 may send, to the UE 702 via the visited network 1, a protected private network information container which contains the instruction, a security key and an indication indicating that the security key is based on a non-3GPP credential (step 4738).
  • the instruction in this example may steer the UE 702 to another visited network different than the visited network 1.
  • the security key may be used by the UE 702 to access the another visited network.
  • the information in step 4 738 may be sent from a UDM 714 of the home network 3 to the UDM 708 of the network 1, to the AMF 706 of the network 1, to the RAN 704 of the network 1 and to the UE 702.
  • the information may be sent in a NAS message, e.g., the NAS message 400 as illustrated in Figure 4, in which case, the security key may be sent as part of the security parameter 404.
  • the UE 702 may use the stored key (may also use one or more of the new security parameters send in step 2734, and/or one or more security parameter carried in the NAS message) to check the authenticity of the message (verifying/authenticating the protected private network information container), and if it passed, the UE 702 follows and execute the instruction (step 5, 740).
  • the UE 702 may verify the protected private network information container using security parameters, such as those described with respect to Figure 4.
  • the UE 702 may verify integrity and privacy of the protected private network information container.
  • the UE 702 may calculate a message authentication code (MAC) using the key stored by the UE 702 in step 736, a synchronization quantity (which may be sent by the home network 1 to the UE 702 in step 2734 or step 4738), and the container (and potentially other information), and verify that the MAC calculated is the same as the one attached to the message that carries the container.
  • the UE 702 may also perform decryption of the message (if encrypted), e.g., based on security parameters sent by the home network 1.
  • Figure 7 merely shows an example for a private home network to deliver a private network information container to a UE.
  • the UE may also send a private network information container to its private home network with a similar procedure as shown in Figure 7. In this case, steps similar to steps 1-3 of Figure 7 may be performed. However, in step 4738, the UE uses an uplink control message to send the container to the home private network, and step 5740 is not needed.
  • FIG. 8 is a flowchart illustrating an embodiment method 800 for wireless communications.
  • the method 800 may be indicative of operations of a UE.
  • the UE interacts with its home network to conduct primary authentication and authorization (A&A). This may be performed when the UE is connecting/ accessing the home network.
  • the home network in this example is a private network.
  • the UE receives and stores one or more new security parameter for future communication with the home network, such as a public key.
  • the UE may receive a private network information container from the home network via a visited network, and an indication indicating which type of credential to be used.
  • the UE may use security parameters to check security of the private network information container, e.g., by checking the integrity and/or privacy (by decrypting the container) of the container.
  • the security parameters may be sent by the home network along with the private network information container, or within the private network information container, or before transmitting the private network information container.
  • the UE determines whether the security check is successful.
  • the UE may discard the private network information container, and may send an error message to the home network, indicating that the private network information container is not successfully received.
  • the UE may obtain information contained in the private network information container, such as one or more instructions, and follow and execute the instructions.
  • the private network information container may include a steering instruction instructing the UE to connect to another visited network, which may be more preferred by the home network.
  • the UE may check whether a 3GPP credential is to be used, e.g., authenticating with the another visited network. This may be performed based on the indication received at step 806.
  • the UE uses the 3GPP credential stored in a UICC.
  • the indication indicating that a non- 3GPP credential is to be used, at step 820, the UE uses a non-3GPP credential obtained during the primary authentication in step 802.
  • FIG. 9 is a flowchart illustrating another embodiment method 900 for wireless communications.
  • the method 900 may be indicative of operations performed by a communication device, e.g., a UE.
  • the communication device is out of coverage of its home network and is communicating with the home network via a visited network.
  • the communication device receives a message from the home network via the visited network, where the message includes a network information container and a credential indicator (step 902).
  • the network information container includes information that is integrity protected and/or cipher protected.
  • the credential indicator indicates a type of a credential used for protecting the network information container.
  • the communication device may verify the network information container using one or more security parameters based on the credential indication (step 904).
  • the communication device may obtain the information included in the network information container when the network information container is successfully verified (step 906).
  • the communication device may then perform further operations based on the information in the network information container.
  • the information may include a steering instruction instructing the communication device to connect to another visited network, in which case, the communication device may execute the instruction to connect and access the another visited network, e.g., based on the type of credential indicated (for example, using a key derived based on the type of credential).
  • the information may include an instruction instructing the communication device to perform cell selection to select a new visited network from a list of preferred networks provided by the home network, in which case, the communication device may select a network from the list of preferred networks as a new visited network and connect to the selected network, e.g., based on the type of credential indicated. If the network information container is not successfully verified, the communication device may discard the network information container. In this case, the communication device may send a message to the home network indicating that the network information container is not successfully received.
  • FIG. 10 is a flowchart illustrating another embodiment method tooo for wireless communications.
  • the method tooo may be indicative of operations performed by a network device of a network.
  • the network is a home network of a communication device.
  • the communication device is out of coverage of the home network and communicates with the home network via a visited network.
  • the network device determines to send information to the communication device (step 1002), and generates a network information container including the information, where the network information container is integrity protected and/or cipher protected (step 1004).
  • the network device determines a type of credential used to protect the network information container (step 1006).
  • the network device then sends, to the communication device via the visited network, the network information container and a credential indicator indicating the type of credential (step 1008).
  • Figure 11 illustrates an example communication system 1100, where embodiments of the present application may be applied.
  • the system 1100 enables multiple wireless or wired users to transmit and receive data and other content.
  • the system 1100 may implement one or more channel access methods, such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), orthogonal FDMA (OFDMA), single-carrier FDMA (SC-FDMA), or non- orthogonal multiple access (NOMA).
  • CDMA code division multiple access
  • TDMA time division multiple access
  • FDMA frequency division multiple access
  • OFDMA orthogonal FDMA
  • SC-FDMA single-carrier FDMA
  • NOMA non- orthogonal multiple access
  • the communication system 1100 includes electronic devices (ED) 1110a- 1110c, radio access networks (RANs) ii2oa-ti2ob, a core network 1130, a public switched telephone network (PSTN) 1140, the Internet 1150, and other networks 1160. While certain numbers of these components or elements are shown in Figure 11, any number of these components or elements may be included in the system 1100.
  • ED electronic devices
  • RANs radio access networks
  • PSTN public switched telephone network
  • the EDs moa-moc are configured to operate or communicate in the system 1100.
  • the EDs moa-moc are configured to transmit or receive via wireless or wired communication channels.
  • Each ED moa-moc represents any suitable end user device and may include such devices (or may be referred to) as a user equipment or device (UE), wireless transmit or receive unit (WTRU), mobile station, fixed or mobile subscriber unit, cellular telephone, personal digital assistant (PDA), smartphone, laptop, computer, touchpad, wireless sensor, or consumer electronics device.
  • UE user equipment or device
  • WTRU wireless transmit or receive unit
  • PDA personal digital assistant
  • smartphone laptop, computer, touchpad, wireless sensor, or consumer electronics device.
  • the RANs ii2oa-ti2ob here include base stations ii70a-ti70b, respectively.
  • Each base station Ii70a-ti70b is configured to wirelessly interface with one or more of the EDs moa-moc to enable access to the core network 1130, the PSTN 1140, the Internet 1150, or the other networks 1160.
  • the base stations ii70a-ti70b may include (or be) one or more of several well-known devices, such as a base transceiver station (BTS), a Node-B (NodeB), an evolved NodeB (eNodeB), a Next Generation (NG) NodeB (gNB), a Home NodeB, a Home eNodeB, a site controller, an access point (AP), or a wireless router.
  • BTS base transceiver station
  • NodeB Node-B
  • eNodeB evolved NodeB
  • NG Next Generation
  • gNB Next Generation NodeB
  • gNB Next Generation NodeB
  • a Home NodeB a Home eNodeB
  • AP access point
  • the EDs moa-moc are configured to interface and communicate with the Internet 1150 and may access the core network 1130, the PSTN 1140, or the other networks 1160.
  • the base station 1170a forms part of the RAN 1120a, which may include other base stations, elements, or devices.
  • the base station 1170b forms part of the RAN 1120b, which may include other base stations, elements, or devices.
  • Each base station ii70a-ti70b operates to transmit or receive wireless signals within a particular geographic region or area, sometimes referred to as a “cell.”
  • MIMO multiple-input multiple-output
  • the base stations ii70a-ti70b communicate with one or more of the EDs moa-moc over one or more air interfaces mio using wireless communication links.
  • the air interfaces mio may utilize any suitable radio access technology.
  • the system 1100 may use multiple channel access functionality, including such schemes as described above.
  • the base stations and EDs implement 5G New Radio (NR), LTE, LTE-A, or LTE-B.
  • NR 5G New Radio
  • LTE Long Term Evolution
  • LTE-A Long Term Evolution
  • LTE-B Long Term Evolution-B
  • the RANs Ii20a-ti20b are in communication with the core network 1130 to provide the EDs moa-moc with voice, data, application, Voice over Internet Protocol (VoIP), or other services. Understandably, the RANs ii2oa-ti2ob or the core network 1130 maybe in direct or indirect communication with one or more other RANs (not shown).
  • the core network 1130 may also serve as a gateway access for other networks (such as the PSTN 1140, the Internet 1150, and the other networks 1160).
  • some or all of the EDs moa-moc may include functionality for communicating with different wireless networks over different wireless links using different wireless technologies or protocols. Instead of wireless communication (or in addition thereto), the EDs may communicate via wired communication channels to a service provider or switch (not shown), and to the Internet 1150.
  • Figure 11 illustrates one example of a communication system
  • the communication system 1100 could include any number of EDs, base stations, networks, or other components in any suitable configuration.
  • Figures 12A and 12B illustrate example devices that may implement the methods and teachings according to this disclosure.
  • Figure 12A illustrates an example ED 1210 (e.g., a UE)
  • Figure 12B illustrates an example base station 1270. These components could be used in the system 1100 or in any other suitable system.
  • the ED 1210 includes at least one processing unit 1200.
  • the processing unit 1200 implements various processing operations of the ED 1210.
  • the processing unit 1200 could perform signal coding, data processing, power control, input/output processing, or any other functionality enabling the ED 1210 to operate in the system 1100.
  • the processing unit 1200 also supports the methods and teachings described in more detail above.
  • Each processing unit 1200 includes any suitable processing or computing device configured to perform one or more operations.
  • Each processing unit 1200 could, for example, include a microprocessor, microcontroller, digital signal processor, field programmable gate array, or application specific integrated circuit.
  • the ED 1210 also includes at least one transceiver 1202.
  • the transceiver 1202 is configured to modulate data or other content for transmission by at least one antenna or NIC (Network Interface Controller) 1204.
  • the transceiver 1202 is also configured to demodulate data or other content received by the at least one antenna 1204.
  • Each transceiver 1202 includes any suitable structure for generating signals for wireless or wired transmission or processing signals received wirelessly or by wire.
  • Each antenna 1204 includes any suitable structure for transmitting or receiving wireless or wired signals.
  • One or multiple transceivers 1202 could be used in the ED 1210, and one or multiple antennas 1204 could be used in the ED 1210.
  • a transceiver 1202 could also be implemented using at least one transmitter and at least one separate receiver.
  • the ED 1210 further includes one or more input/output devices 1206 or interfaces (such as a wired interface to the Internet 1150).
  • the input/output devices 1206 facilitate interaction with a user or other devices (network communications) in the network.
  • Each input/output device 1206 includes any suitable structure for providing information to or receiving information from a user, such as a speaker, microphone, keypad, keyboard, display, or touch screen, including network interface communications.
  • the ED 1210 includes at least one memory 1208.
  • the memory 1208 stores instructions and data used, generated, or collected by the ED 1210.
  • the memory 1208 could store software or firmware instructions executed by the processing unit(s) 1200 and data used to reduce or eliminate interference in incoming signals.
  • Each memory 1208 includes any suitable volatile or non-volatile storage and retrieval device(s). Any suitable type of memory may be used, such as random access memory (RAM), read only memory (ROM), hard disk, optical disc, subscriber identity module (SIM) card, memory stick, secure digital (SD) memory card, and the like.
  • the base station 1270 includes at least one processing unit 1250, at least one transceiver 1252, which includes functionality for a transmitter and a receiver, one or more antennas 1256, at least one memory 1258, and one or more input/output devices or interfaces 1266.
  • a scheduler which would be understood by one skilled in the art, is coupled to the processing unit 1250. The scheduler could be included within or operated separately from the base station 1270.
  • the processing unit 1250 implements various processing operations of the base station 1270, such as signal coding, data processing, power control, input/output processing, or any other functionality.
  • the processing unit 1250 can also support the methods and teachings described in more detail above.
  • Each processing unit 1250 includes any suitable processing or computing device configured to perform one or more operations.
  • Each processing unit 1250 could, for example, include a microprocessor, microcontroller, digital signal processor, field programmable gate array, or application specific integrated circuit.
  • Each transceiver 1252 includes any suitable structure for generating signals for wireless or wired transmission to one or more EDs or other devices. Each transceiver 1252 further includes any suitable structure for processing signals received wirelessly or by wire from one or more EDs or other devices. Although shown combined as a transceiver 1252, a transmitter and a receiver could be separate components. Each antenna 1256 includes any suitable structure for transmitting or receiving wireless or wired signals. While a common antenna 1256 is shown here as being coupled to the transceiver 1252, one or more antennas 1256 could be coupled to the transceiver(s) 1252, allowing separate antennas 1256 to be coupled to the transmitter and the receiver if equipped as separate components.
  • Each memory 1258 includes any suitable volatile or non-volatile storage and retrieval device(s).
  • Each input/output device 1266 facilitates interaction with a user or other devices (network communications) in the network.
  • Each input/output device 1266 includes any suitable structure for providing information to or receiving/providing information from a user, including network interface communications.
  • FIG. 13 is a block diagram of a computing system 1300 that may be used for implementing the devices and methods disclosed herein.
  • the computing system can be any entity of UE, access network (AN), mobility management (MM), session management (SM), user plane gateway (UPGW), or access stratum (AS).
  • Specific devices may utilize all of the components shown or only a subset of the components, and levels of integration may vary from device to device.
  • a device may contain multiple instances of a component, such as multiple processing units, processors, memories, transmitters, receivers, etc.
  • the computing system 1300 includes a processing unit 1302.
  • the processing unit includes a central processing unit (CPU) 1314, memory 1308, and may further include a mass storage device 1304, a video adapter 1310, and an I/O interface 1312 connected to a bus 1320.
  • CPU central processing unit
  • the bus 1320 may be one or more of any type of several bus architectures including a memory bus or memory controller, a peripheral bus, or a video bus.
  • the CPU 1314 may comprise any type of electronic data processor.
  • the memory 1308 may comprise any type of non-transitory system memory such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous DRAM (SDRAM), read-only memory (ROM), or a combination thereof.
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • ROM read-only memory
  • the memory 1308 may include ROM for use at boot-up, and DRAM for program and data storage for use while executing programs.
  • the mass storage 1304 may comprise any type of non-transitory storage device configured to store data, programs, and other information and to make the data, programs, and other information accessible via the bus 1320.
  • the mass storage 1304 may comprise, for example, one or more of a solid state drive, hard disk drive, a magnetic disk drive, or an optical disk drive.
  • the video adapter 1310 and the I/O interface 1312 provide interfaces to couple external input and output devices to the processing unit 1302.
  • input and output devices include a display 1318 coupled to the video adapter 1310 and a mouse, keyboard, or printer 1316 coupled to the I/O interface 1312.
  • Other devices maybe coupled to the processing unit 1302, and additional or fewer interface cards may be utilized.
  • a serial interface such as Universal Serial Bus (USB) (not shown) may be used to provide an interface for an external device.
  • USB Universal Serial Bus
  • the processing unit 1302 also includes one or more network interfaces 1306, which may comprise wired links, such as an Ethernet cable, or wireless links to access nodes or different networks.
  • the network interfaces 1306 allow the processing unit 1302 to communicate with remote units via the networks.
  • the network interfaces 1306 may provide wireless communication via one or more transmitters/transmit antennas and one or more receivers/ receive antennas.
  • the processing unit 1302 is coupled to a local-area network 1322 or a wide-area network for data processing and communications with remote devices, such as other processing units, the Internet, or remote storage facilities.
  • a signal may be transmitted by a transmitting unit or a transmitting module.
  • a signal may be received by a receiving unit or a receiving module.
  • a signal may be processed by a processing unit or a processing module.
  • a verifying unit/module may be performed by a verifying unit/module, an integrity checking unit/module, an obtaining unit/module, an encrypting/deciypting unit/module, an instructing unit/module, an accessing unit/module, a discarding unit/module, a performing unit/module, an authenticating and authorizing unit/module, a determining unit/module, a generating unit/module, and/or an integrity protecting unit/module.
  • the respective units/modules may be hardware, software, or a combination thereof.
  • one or more of the units/modules may be an integrated circuit, such as field programmable gate arrays (FPGAs) or application-specific integrated circuits (ASICs).
  • FPGAs field programmable gate arrays
  • ASICs application-specific integrated circuits

Abstract

Un dispositif de réseau d'un réseau peut générer un conteneur d'informations de réseau comprenant des informations à envoyer à un dispositif de communication. Le réseau est un réseau domestique du dispositif de communication qui est desservi par un réseau visité. Le conteneur d'informations de réseau peut être protégé par intégrité et/ou protégé par chiffrage. Le dispositif de réseau peut envoyer au dispositif de communication, par l'intermédiaire du réseau visité, un message comprenant le conteneur d'informations de réseau et un indicateur de justificatif d'identité indiquant un type de justificatif d'identité utilisé pour protéger le conteneur d'informations de réseau. Le type de justificatif d'identité peut être un justificatif 3GPP ou non 3GPP. Le dispositif de communication peut vérifier le conteneur d'informations de réseau à l'aide d'un ou de plusieurs paramètres de sécurité sur la base du type de justificatif d'identité, et obtenir les informations dans le conteneur d'informations de réseau lorsque la vérification réussit, ou ignorer le conteneur d'informations de réseau lorsque la vérification échoue.
EP21806445.9A 2020-09-29 2021-09-28 Procédé et appareil de transfert de message de commande critique dans des réseaux Pending EP4209025A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202063084793P 2020-09-29 2020-09-29
PCT/US2021/052468 WO2021243343A2 (fr) 2020-09-29 2021-09-28 Procédé et appareil de transfert de message de commande critique dans des réseaux

Publications (1)

Publication Number Publication Date
EP4209025A2 true EP4209025A2 (fr) 2023-07-12

Family

ID=78599128

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21806445.9A Pending EP4209025A2 (fr) 2020-09-29 2021-09-28 Procédé et appareil de transfert de message de commande critique dans des réseaux

Country Status (4)

Country Link
US (1) US20230231849A1 (fr)
EP (1) EP4209025A2 (fr)
CN (1) CN116349266A (fr)
WO (1) WO2021243343A2 (fr)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3656141B1 (fr) * 2017-07-18 2022-06-15 Samsung Electronics Co., Ltd. Procédé et système de détection d'anti-direction d'activité d'itinérance dans un réseau de communication sans fil

Also Published As

Publication number Publication date
WO2021243343A2 (fr) 2021-12-02
WO2021243343A3 (fr) 2022-02-24
CN116349266A (zh) 2023-06-27
US20230231849A1 (en) 2023-07-20

Similar Documents

Publication Publication Date Title
US10382206B2 (en) Authentication mechanism for 5G technologies
US10356670B2 (en) Deriving a WLAN security context from a WWAN security context
CN110049492B (zh) 通信方法、核心网网元、终端设备及存储介质
US10887295B2 (en) System and method for massive IoT group authentication
US9240881B2 (en) Secure communications for computing devices utilizing proximity services
US11178547B2 (en) Identity-based message integrity protection and verification for wireless communication
US20200162913A1 (en) Terminal authenticating method, apparatus, and system
CN110431867B (zh) 一种基于非3gpp网络的入网认证方法、相关设备及系统
US20230413060A1 (en) Subscription onboarding using a verified digital identity
CN112087724A (zh) 一种通信方法、网络设备、用户设备和接入网设备
AU2020284886A1 (en) Security context obtaining method and apparatus, and communications system
US20240080316A1 (en) Methods and apparatus for provisioning, authentication, authorization, and user equipment (ue) key generation and distribution in an on-demand network
WO2022237561A1 (fr) Procédé et appareil de communication
US20230231849A1 (en) Method and Apparatus for Critical Control Message Transfer Across Networks
CN114245372B (zh) 一种认证方法、装置和系统

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230405

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)